Thursday, January 3, 2013

Setup and Tweak Your New Asus RT-AC66U or N66U Router! (partially OT)

Asus has been doing an increasingly impressive job in the "home" WiFi router market. With impressive performance approaching enterprise class routing capability and second-to-none Wifi performance, (for an unmanaged single unit) they're hard to beat for the enthusiast market. By using something like TomatoUSB firmware you can get many enterprise-class features. While I may write an article in the future on Tomato or DD-WRT tweaking, I'm going to go through the setup here using the new "Merlin" firmware. Eric Sauvageau, the author of the modified firmware, states of this:

"The primary goals of this project are to fix bugs, add a few basic
features and tweaks to the original firmware. This firmware will try to
remain as close as possible to the original firmware."

Sounds good to me. I've spent alot of time with Tomato and DD-WRT on my home network, and a change of pace might be nice. Also, you get the piece of mind that you're using mainly the manufacturers' code on this newer hardware.

Note: Some ideas covered in this article may apply to other consumer or enterprise level hardware.

Assumptions:

You have purchased either a RT-AC66U or RT-N66U (Update 7/6/13: RT-AC56U now supported asw well)

You have backed up, memorized, or otherwise, your old router settings

You're comfortable with the basics; I'm not going to re-cover the manual

You have power and an internet connection. Setup will be easier and more reliable if you also have a house or apartment, which you should be inside of during this tutorial.

Let's get to work:

Connect the router as described in the manual. If you have a DHCP server (other than the one on the router from your ISP) you'll either need to temporarily disable it or ensure it's assigning the 192.168.1.x range excluding .1.

Perform the initial "Quick Internet Setup" wizard

After/if it prompts you to update firmware, go ahead and do so.

If desired, (and some of my steps will assume this is done) download the "Merlin" firmware from here. In the interface click "Administration->Firmware Upgrade" and specify the path to the trx file.

Now that we've upgraded, let's highlight important setup steps. I'm not going to cover the specifics of your environment, just things I recommend you pay attention to. First, navigate to "Wireless->WPS" and set it to "OFF". Most implementations of WPS are NOT secure at all. For more information, see: This episode of the wonderful Security Now! podcast or this lifehacker article. There are many ways to get a complex WiFi key to nearly any device securely.

Navigate to "Wireless->Professional" and check the "Tx Power adjustment" and reduce it if possible. (Some experimentation required) Make sure you use the dropdown and do both 2.4ghz and 5ghz. Lowering your broadcast power will slightly shorten the range so you aren't broadcasting to your neighbors (polite) and may lengthen your hardware life. (See effect @ "Tools->Radios Temperature")

If you disabled the DHCP server, make sure you go to "LAN->DHCP Server->Log DHCP Queries" and hit "Disable".

To log stats, insert a USB thumb drive. It can be tiny and slow if you want. Navigate to "System Log->General Log" hit "Refresh". Copy the contents down and search them for the mount messages. In my case, the only message was "Jan 3 18:47:16 hotplug[1032]: USB vfat fs at /dev/sda mounted on /tmp/mnt/1GB", and that corresponds to @ /mnt/1GB for short since /mnt is a symlink to /tmp/mnt. Write this down.

Navigate to "Tools->Other Settings" and set "Traffic history location" to "Custom location".

Set "Save history location" to the value you wrote down in step 8, select "Create or reset data files" (if this is the first time you have done this on this disk) and hit "Apply".

(Added 1/12/13) Unless you're using STP with your other switches, etc. navigate to "Lan->Switch Control" and set "Spanning-Tree Protocol" to "Off". Cool that it supports STP though! (Update 10/11/2013: There has been some confusion on this, so to simplify: If you have more than one switch not including this Asus router, leave STP enabled. Otherwise, disable it. If you would like to better understand see this.)

(Added 1/20/13) If you aren't using IPv6 (yet), navigate to "IPv6"->"Auto Configuration Setting"->"Enable Router Advertisement" and set it to "Disable".

(Added 1/20/13) Let's disable some other services that most people won't need. Unless you're using this router as a filesharing and/or DLNA device, do the following: Navigate to "USB Application"->"Media Server"->"Enable DLNA Media Server" and set it to "Off".

(Continued from #13) Navigate to "USB Application"->"Miscellaneous Setting" and turn off "Force as Master Browser" and "Set as WINS Server" and click "Apply".

(Added 2/4/2013) Recommended: Though I haven't tested (update 6/7, it's fine as of now, so if you need UPnP go ahead) to see if this firmware is impacted by the recent discovery that a substantial number of firmwares expose UPnP to the external interface of the router(!!) I still recommend turning it of if it's feasible. This means you'll have to forward ports manually, but if you're reading this I suspect you know how to do so anyhow. (If not, comment as such and perhaps I'll write an article about it) To disable the UPnP service navigate to "Advanced Settings->WAN->Internet Connection->Basic Config->Enable UPnP" and set it to "No" Update 5/27/2013: How to forward ports:

To forward ports, first determine what ports your service/application uses. While a search for "(Service) forward ports" generally returns the ports needed for that service, you can also use something like portforward.com to look it up. Note that the port spaces of TCP and UDP protocols are separate, so make sure you get the protocol right and know that the port numbers can overlap. There are some pre-baked shortcuts in the Merlin/Asus firmware on the port forwarding page (listed in the next step) that will populate the ports for you; it may be worth checking those out to save some time.

After you determine your ports, open the manage interface of your Asus router and navigate to "Wan->Virtual Server/Port Forwarding"

Ensure "Enable Port Forwarding" is set to "Yes".

Under "Port forwarding List" type the name of your application under "Service Name". This entry is cosmetic only and serves to identify this forward.

Under "Port Range" enter the port(s) needed for this application. To open a range, separate the lowest port and the top port with a ":". For example, to open up ports 80 through 90 you would put "80:90". You can also put non-joining port ranges on the same rule by adding more ports after a comma. For example, to open ports 80 and 90, you would put "80,90".

On "Local IP" put the IP address of the machine hosting the service you would like to expose to the internet. If you don't know this address and you're (as default) using the DHCP server on the router you can find the address by going to the DHCP management on your router.

On "Local Port" you generally want to put exactly what you put under "Port Range". The exception to this rule would be if you want to expose an internal port as a different port externally.

Under "Protocol" select the proper protocol; TCP, UDP, or Both. Again, note that selecting "Both" would result in both sets of ports being opened.

Click the plus icon "Add/Delete" and then click "Apply" at the bottom. Note that if your IP address changes then you'll need to update the rule.

(Added 7/20/2013,Critical) A vulnerability has been discovered with the AICloud software. There is an official firmware that has been released that is reported but not confirmed to fix the problem, but that includes a very poor wifi driver so I would not recommend its use unless you have no 5ghz WiFi clients. The Merlin 372_30_2 build does not address this problem because Eric based it on a pre-release 372 version that didn't yet include the fix. (Confusing versioning by Asus..) If you don't run that new stock FW make sure you disable the AICloud! (AICloud->Smart Disk/Cloud Access) Update 7/24/13: There is a Merlin build that addresses this issue now available. See below for links. Update 2/18/14: There have been stories about either this exploit and/or a potentially newly found exploit involving FTP and the AI cloud feature. I think the best advice at this time is from Eric (the author of the firmware). The point: Because it is uncertain if this is entirely based on the old vulnerability, disable these features until the full nature of the exploit is disclosed and confirmed fixed. Update 3/16/14: This should be fixed with the newest build (374.40) but frankly I would still leave them off.

(Added 11/3/2013) If you notice that your WiFi continues to loose connectivity and you need to reboot the router to fix it, try naming your 2.4Ghz and 5Ghz radios differently. I've noticed that some dual band devices (the iPad specifically) will bounce between frequency spectra and this will cause the Asus to become confused and stop relaying requests to the DHCP server correctly. To do so go to Wireless->General and dropdown between "2.4Ghz" and "5Ghz", ensuring they have different SSIDs so that your devices will target one of the two explicitly.

If I find any other important info I'll add it. Enjoy!

Note 1: If you enable "Tools->Other Settings->Enable advanced (per IP) monitoring" it will disable hardware acceleration. While you most likely won't notice this unless you've got an internet connection approaching 100Mbit, be aware that you may loose some performance for that functionality.

Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with own address as source address . I'll post updates on this later.

Update 3/29/2013: Eric just uploaded a new beta build based on a beta release from Asus. A couple exciting changes here including new wireless driver and tools. Note that you'll need to re-add you WoL clients (if you had any) because Asus added a new WoL tool. Also, note this warning from Eric:
"New wireless driver. This new driver brings quite a few improvements
over the older one. Note that if you experience any issue with this new
driver, it is strongly recommended to revert back to factory defaults,
and re-configuring your router. There are a few low-level changes, and
some new default values that you won't pick up until you revert back to
factory defaults." Release Thread, Changelog, Download

Update 4/4/2013: It looks like some folks are having issues on the new build with the 5Ghz radio. There is quite a lively discussion going on and Eric has answered quite a few questions.

Update 7/24/2013: Another new build, (3.0.0.4.372.31) this time fixing the AI Cloud security issue and introducing the Yandex DNS filtering service. Be wary though that Yandex is in Russia, so if you use this feature (off by default) it may noticeably slow internet browsing since it redirects all your DNS queries. Release Thread, Changelog, Download.

Update 10/3/2013: Eric has been hard at work on a new
build(3.0.0.4.374.33) based on a new source that includes fixes to
general performance, parental controls, and more. Note this warning from
Merlin:

"IMPORTANT:
Due to the SDK change on the RT-N66U, you *MUST* revert back to factory
default and manually reconfigure your router if coming from an older
firmware! The only exception is if you were previously running either
the Pixie Dust release (3.0.0.4.374.32-sdk6), or a previous beta of
3.0.0.4.374.33 (except for the -sdk5 Beta, of course).

Asus also recommends doing the same for the other models, however feel
free to try without doing so. It might work fine for most people, but
be prepared to do a factory default reset + reconfiguration if you run
into any odd issues.

And by "manually reconfigure", I really mean it. Reloading saved
settings would totally nullify the action of resetting to factory
defaults, since you will just end back to where you started, with all
the same (possibly invalid) settings."

Update 12/14/2013: New build! (3.0.0.4.374.35_4) GPL 374.339 (Time machine support for some models), Asus' OpenVPN implementation. (Note this is a total overhaul), Namecheap DDNS, and more. Release Thread(With Changelog), Download.

Update 1/22/2014: New build! (3.0.0.4.374.38) GPL 374.2078, major driver/SDK changes. RT-N16 is not supported by this build. This is SDK6 only. In short, if you have issues with this build, particularily with wi-fi performance, fall back to an earlier build. That said, the feedback in the forum regarding this build has been great thus far. Note: in most situations, Eric does recommend resetting to factory defaults & manually re-configuring. Release Thread With Changelog, Download

Update 2/16/2014: New build, out for a bit. (3.0.0.4.374.39) Dumps SDK5 and adds a new parental control option to use DNS services to block category based URLs as well as bug fixes. Release Thread, Changelog, Download

Update 3/16/2014: New build: 374.40. Not stable for the RT-AC68U but fixes the RT-N16. DNSFilter enhanced along with IPv6 fixes. This build should also address the highly publicized security issues from last month, but I would still recommend highly against enabling FTP, "Cloud AI", or any other outward facing services on principal. Release Thread, Changelog, Download.

Update 6/6/2014: New build: 374.43. Another new release from Eric today, mostly bugfixes. One feature added; the ability to force a DDNS refresh after a configurable number of days. Release Thread, Changelog, Download. Also, SmallNetBuilder forum member "000111" (7?) had the great idea to start a donation thread for Eric. If you appreciate his efforts it's worth considering heading over to this thread and throwing him a few bucks for the effort.

Update 11/7/2014: New build: 376.48_1. Merge with Asus code 3.0.0.4.376_2769, Samba upgraded to 3.6.24, Miniupnpd to 1.9, Dropbear to 2014.66, OpenSSL 1.0.0o, SNMP enhanced, RT-AC68P support. Release Thread, Changelog ,Download. Also, Eric (Merlin) warns of a but that causes wifi issues. Quoting him: "Note: Previous firmwares (both Asuswrt-Merlin and stock Asus) suffered from a bug where some nvram settings might end up being corrupted, which can lead to the loss of the 2.4 or 5 GHz settings on the webui with newer firmwares. To fix the issue, either do a factory default reset, or run the following commands over SSH:

Code:nvram set wl0_band=2nvram set wl1_band=1nvram commit

The actual bug was fixed both on my end and by Asus a few releases ago, however the corrupted setting will cause issues starting with newer firmware versions if not corrected."

Update 8/292015: There have been several new builds, the last of which was great, but this update is to address how to perform source based routing with Merlin/Busybox:

In my case I've got two different internet connections and I want to selectively route different machines through different internet gateways. To accomplish routing traffic based on the source, we'll use the ip rule and ip route commands. First, make the rule:

ip rule add from [IP]/[CIDR] table [NAME]

where [IP] is the from addr or range, [CIDR] is the applicable CIDR bitmask, and [NAME] is a unique integer to call the route, i.e.

ip rule add from 10.0.0.1.22/32 table 10

then the custom route:

ip route add default via [Gateway IP] table [NAME] dev [ADAPTER]

where [Gateway IP] is the IP of the desired gateway, [NAME] is the same integer as referenced above, and [ADAPTER] is the NIC to which the rule applies, i.e.

ip route add default via 10.0.0.254 table 10 dev eth0

You can re-use the route for multiple rules if desired. To make these rules persistent you'll need to use user scripts.I use services-start with a 10 second sleep in the beginning. Have fun!

148 comments:

Thanks thehin, but I'm not the author of the firmware, just this blog post about the router. :) The firmware author is Eric Suvageau and his homepage can be found here. I'm thankful that he has taken this on since that default firmware leaves a bit to be desired.

Hi TobyYou may not have an opinion on this, but...Having just bought this router and wanting to use the inbuilt BT download app, I can't find a way to configure the app to connect to my VPN service to enable anonymous BT downloads as if I was using my pc securely.Do you have any advice or ideas on how at achieve this - as I haven't!Great router with excellent range and through put though.Thanks for any advice !! Scott.

Hey scottylomez!I'm by no means a bittorrent guru, but hopefully I can get you pointed in the right direction. You won't find this option in the GUI but it looks like the package the router uses is called Transmission. The config file can be manipulated by turning on SSH access ("Administration"->"Enable SSH"->"Yes"... make sure "Allow SSH access from WAN" is off!) and then connecting with your favorite terminal client (Putty, etc) using the same login you use for the web interface. The main conf file can be found @ /tmp/mnt/(sdb1)/asusware/etc/dm2_transmission.conf where (sdb1) is what your drive is mounted as. You can find that by looking @ the entry in the system log when you plug it in. For guidance on how to configure the transmission client, look here and here. Good luck!

Wow - thanks Toby - might be a bit out of my depth but will have a go later.If I break the transmission config file, will I only break the .'Download Master' application , meaning a reinstall will fix any damage?

@scottylomez Yup, you can always "Uninstall" and then "Install" again from the GUI and it will re-extract the contents from the firmware. Alternatively, you can backup the config file before you start by just doing something like cp dm2_transmission.conf dm2_transmission.conf.orig . The firmware won't touch your custom file.

This software is the actual firmware made by Asus with some very welcome changes made by Eric Savageau. It works so well with the original hardware that you can use the built in Asus flash utility to go back and forth or upgrade. I'm sure you'll find it quite easy to use. Good luck & have fun!

Hey there, Unfortunately the default firmware does not allow for URL monitoring and the Merlin firmware hasn't added it in. The closest thing is URL filtering which is included, and that can be found @ Advanced-> Firewall-> URL Filter. That filter allows for individual words anywhere in the URL, i.e. "uglypuppies" would block http://host.theuglypuppieshouse.com as well as http://uglypuppies.net.

If you really needed the functionality remember that this firmware uses busybox so you could in theory add one of the many URL monitoring packages available for that manually.

Still issues with parental control on 3.0.0.4.270. Will set alright but will not close down access to the internet at the set time. If anyone is on the internet, access is still possible so of no use. Is there a fix?

Good observation; I was able to recreate your issue. Any new connections are blocked, but existing connections (I.E. Netflix, etc)remain open. It looks as if the parental controls use IPTables forwarding rules with the TIME module. Here's an example:

This has do do with the way IPTables evaluates connections. I tried adding an explicit MAC filter via a cron job and that didn't do the trick either; have you considered scheduling a reboot job to correspond with the time that the access is turned off? That would obviously kill all sessions. Another option would be to try installing tcpkill as optware and cron that.

I just bought the RT-AC66U and I have a slight problem. I set up the router the way it shows in the manual but I can't seem to move past that step. The WAN and LAN lights are solid blue and stable, but the Power light flashes very slowly.

When I go into "Network & Sharing Center" there's an "!" between the PC and "Unknown Network" and an "X" between the "Unknown Network" and Internet.

I also tried the "192.168.1.1" address, but it comes up as not working.

I did notice one strange thing: my PC's ethernet port emitted a green light with my last router, but with this one, its red & green O.o

I keep hearing how great and easy to setup this router is, but I'm failing at this setup pretty hard. Any and all help is appreciated.

I have read everything here and the Merlin website but I don't really see anything about the probem I am having with the AC66U I have. Bought it back in March to replace a Linksys router (network seemed sluggish and erratic). Just last week I suddenly noticed that the wireless computers were being identified but I could not connect to them whereas the wireless computers could access every LAN computer. It gets better. The wireless computers can't access each other. The only reason I finally noticed this is that my one wireless computer runs my music system and I listen on other computers. I have a lot duplicated on the LAN system but not everything, so I finally noticed that I was missing songs when I changed settings on my media player (JRiver) and noticed that there were no files from that computer.I don't recall if there was a connectivity problem from the very beginning.I am on the latest ASUS beta build and am ready to try the lastest Merlin beta; but before I do any suggestions?I have checked all the settings and I have it rather basic. Nothing fancy because I'm not good at networking.There was the comment about wireless not communicating with LAN and I'm not sure if that would be related.Thanks.

Boy that's tough to help on that one; there are so many variables there that I can't help much without seeing it. I can say that you probably don't have anything to worry about with the extra light on your PC; I'm guessing your old router had 100Mbit switch ports while the new Asus router has 1Gbit. Your now faster LAN connection is most likely displayed by your PC with that extra light over the NIC. As for the other issue, all I can say with the limited information is to double check the connections and ensure your internet service is working directly on the device from your service provider.

Unfortunately I have not been able to re-produce your issue. I did a test between a few machines and devices on my WiFi network without issue. Here are some things to check:

-Ensure you're using the standard wireless and not guest wireless for your devices. -Make sure your device is set to AP only on the Wireless->Bridge page-(unlikely) make sure there isn't a huge amount of interference in your environment. This is very unlikely to cause what you're reporting but if you're in a high density location it may be worth doing a quick verification. - Make sure you don't have any odd static routes set that would render wireless clients unable to see each other. (LAN->Route, by default empty)

When troubleshooting, make sure you use IP addresses (IPCONFIG on windows hosts) to take name lookup out of the loop. Good luck!

Found the problem. I have Kaspersky on all my computers and apparently with the last update (which was within the last month) it changed the settings to public network on the wireless computers. changed it to a local network and now everything works as it should.Way too many settings to go through on Kaspersky. (and I am also on Win8).

Great question. I think this may be possible by using a custom dnsmasq.conf file, but I haven't tried it yet. To give it a shot, create the custom dnsmasq.conf file as outlined in Merllin's readme. In short, you would change the settings to what you want out of the GUI, copy /tmp/etc/dnsmasq.conf to /jffs/configs/ . You would then need to change the DHCP scopes to be interface specific. Since the router expects a certain range it will be easiest to take the DHCP range setup by the GUI and split it into the number of subnets you want based on the number of guest networks enabled. For example, if you have a guest network on the 2.4ghz range and one on the 5ghz range then you would need to add two to each of the other standard interfaces you want to serve up DHCP on. Count the total interfaces and divide the DHCP scope up accordingly. After determining this, edit you custom dnsmasq.conf file (under the jffs... dir) to have scopes per their interface. The guest network interfaces are as follows:

2.4Ghz: wl0.x where x= the number representing the guest network from 1 to 3, I.E. wl0.1 for the first guest network.

5Ghz: wl1.x where x= the number representing the guest network from 1 to 3, I.E. wl1.1 for the first guest network.

For an example of how to setup multiple scopes in DNSMASQ, see this link. Essentially you will change the DHCP scope options to have the interface as a prefix to the argument, I.E.:

dhcp-option=wl0.1,6,208.67.222.222,208.67.220.220

You'll need to specify all the other options for each, and you'll need to specify a scope for each interface including the "standard" interfaces as well. Using this, you can specify what options (including DNS servers) you want on each scope.

Once you're done, save the file and restart the router. You should now get the DNS servers and other DHCP options associated with the scope served on that interface.

There may be some other entware/optware options to accomplish the same by running multiple DHCP servers bound to specific interfaces, but I think this would be worth a try before going down that route. If you get a chance let us know if it works and if you have any additional questions feel free to ask!

Dear toby - I have a question - I know you're not official support but I love this site and learned alot from your post!

I just got an N66u after an old WRT54GL with tomato :-) I'm loving it mostly, and 5ghz on my laptop is amazing!

The problem is that I have a real "dead zone" for mobile devices, in the same place that it a) previously worked with the outdated WRT54GL and b) works with laptops on 2.4Ghz (not to mention 5ghZ).

This is on an iphone 5 AND a newish android device, so i don't think its the mobile hardware thats slow.

Do you have any recommendations on what I should do with the settings? I'm running pretty much vanilla asus firmware (updated to latest), but would be happy to install custom FW if you think that'd help. thanks again very much for any help and insight toby!!

Hi James! Thanks for posting. Making this sort of determination can be a bit difficult there are so many possible causes of interference. Here's where I'd start:

1> Adjust antennas to get the best signal in that spot using something like inSSIDer to determine signal strength. (it's kinda fun to use anyhow :) ) 2> Force devices to use the 2.4 Ghz range by disabling or changing the SSID on the 5Ghz range. Since 2.4 was working for you previously perhaps there is something interfering with the 5Ghz spectrum. 3>You could try upping the transmit power (I know the Merlin FW can do it) but I doubt that will help much. For why, see this.4>Try changing the channel bandwidth from "auto", "20/40", "20/40/80"(5Ghz) to "20". Channel bonding can exacerbate reception issues when the signal strength is low.

Hopefully one of those points helps you re-mediate the issue. Good luck!

Hi Toby, great work, and a great read. I was wondering if there is a 'simple' (insert chuckle) way to make my rtac66u have user/ip/mac connection limits, and/or bandwidth limits over wifi? even daily/weekly/monthly data qouta's being assigned per mac address would be really cool to!

Thanks in advance if you have any idea's, or can point me in the right direction.

Hey Dave, thanks for the kind words! You could do connection limits on a per IP (or block of IPs) basis using the connlimit module, which is installed with the IPtables build on the Asus devices. If, for example, you wanted to limit everyone on the 192.168.1 subnet to a total of 500 HTTP connections, you could use the command:

Where -A is append, FORWARD is the forwarding chain (think of it like the router chain), -s 192.168.1.0/24 is the source IP range, -dport 80 is the port, -m connlimit is the connlimit module, --connlimit-above 500 is the number of concurrent sessions, and -j REJECT is the action to be taken ouside that range.

This could be targeted to an individual IP as well; if you wanted to limit to WiFi only you may be able to use -i eth1 instead of -s IPADDR to limit based on input interface rather than IP. Keep in mind that due to the way connections are maintained you'll have to play with the values to get the desired effort. You can see connections being tracked on the System Log->Active Connections page.

To add this rule to your IPTables every boot, you will need to use a shell script. You can find more information about setting up scripts here and here. In short, you'll need to format the JFFS partition, create the scripts directory, create a firewall-start script. As Eric points out in his readme, make sure you chmod a+rx /jffs/scripts/* after adding to mark it as executable, and make sure the script starts with #!/bin/sh.

On fully fledged Linux installs, you can use the quota module to create a limit on a per host/service basis but it's not installed on the Asus platform. (cat /proc/net/ip_tables_matches) Connbytes is there which may facilitate something close to what you're looking for so you may want to look into that module. Feel free to post any other questions or findings you have.

Actually I only need it against specific ip's, as I'm using dhcp by MAC address. The issue is, well.... Kids.

As good as the wireless on a rtac66u is, it is a shared resource, just like a old hub, as opposed to switch. I'm sure I'm not telling you anything you don't already know, just explaining my reasons really. To many wireless devices, and kids that want to stream or otherwise download flat out. I need to restrict their given ip addresses to less connections, less bandwidth, and assign quotas so they can't exceed my providers quota.

Then everyone can access fairly well, and without ending up throttled to dial up speeds!

Fabulous blog and an awesome resource for those of us fortunate enough to be surfing on the Dark Knight with the Merlin firmware.

Yesterday, after experiencing some strange problems on my router with an older firmware (where I was not able to access the router interface from any wireless client on the LAN), I decided to reset the router and upgrade to the 3.0.0.4.372.31 FW. It runs *much* better, except I am not able to make any changes to the Administration -> System page, so I can't enable connection to the router from the WAN or any of the other functions on that page.

The System page doesn't seem to fully display (the tabbed menu at the top does not appear), and when I press the Apply button, nothing happens.

Chris, I'm running that fw also with no issues. Did you reset to factory defaults and either upload your saved settings, or redo from scratch? (After flashing new firmware if course) If that doesn't work I'd reflash it perhaps, an clear Nvram, and try again.

Great question; this one is a bit tricky. Unfortunately static routes, as I'm sure you know, route by the destination rather than the source, so they're out of the question. Here are a couple ways you could tackle the problem:

- Set static routes based on destination after OpenVPN client init. Here is a good conversation along those lines. Essentially this will route all machines on your network over the VPN for specific sites (Netflix, etc.) and route traffic not destined for those sites directly out.

- A second routing device: While there are devices made for this specific purpose it may be cheaper depending on what you have on hand to setup a VM as another router that sends all traffic through the VPN. That way, you could use that VM as the VPN client and direct all devices(your TV) that you want VPNed through that box as the default gateway. As another potential solution along the same lines, here's an amazing project that uses a rasperry Pi as the router! (talk about cheap)

- You could get at VPN service that is DNS selective like unblock-us or overplay. These work by replacing your standard DNS servers, which you would have to insert into your router configuration. When you request the IP of a service that is generally region blocked like netflix, the service returns an IP address of one of their servers and the creates a session on the fly to dynamically route your access to that site through their servers.

Quite right, QoS on this is not very good. I did try using it, but with 20 odd devices, both wireless and wired, all it seemed to do was make everything for everyone one incredibly slow, regardless of priorities given.

I have a new issue now, but I think it's a genuine bug rather than a config thing. The parental controls no longer seem to work. If enabled, and a schedule set for a given MAC address, it seems to just block that MAC address at all times, regardless of the schedule.

Everything appears fine, it just won't let it out. All reachable on the LAN side, just doesn't want to allow it to reach the net. Quite frustrating! I have mailed Merlin to see if he can shed any light as its only been in the last couple of firmware versions that this started happening.

Hi Toby, very nice blog, full of usefull information !I was wondering if you could describe a little bit more the log capabilities of the merlin's firmware ?My idea is to leave the 66U in an apartment, for free wifi to my customers, but according to the law , i have to track ip @, dates, mac @ ... So i want all the log information to be transmitted throught internet for example in order to keep them.Is there any means to do that ?

Hey @Dave! I've heard of some issues with parental controls, but I'm not experiencing your issue. I did write a comment that discussed the workings of the controls on 6/22 directed to beeker... perhaps that info would assist you in your pursuit.

@Les gites de Liaven: That sounds like an undertaking, perhaps one for its own article. I'd start here:Setup a USB stick as outlined in the article. You should be able to see it under the /mnt (/tmp/mnt) directory. You'll probably need a big one if you plan on logging that much! Next, change your iptables rules in the forwarding chain to log; for override info see my comment to Dave from 8/15. For how to do IPTables logging, see this and this(tips section). I would take other measures though as well because there of a few issues: for starters note that by default clients won't be isolated from each other and as Dave and I discussed it will be very easy for one client to exhaust network bandwidth. Good luck!

Yeah I emailed Eric and he said he has seen a few reports of the parental controls no longer working, both on his, and the stock firmware but hasn't had a chance to look into it as yet.

As for the logging, agreed, use a USB stick as described, rather than the routers ram (default I think) and then perhaps a small script via crontab to make a copy at a given time, email forward or email it etc and then delete the original so it doesn't get overloaded, perhaps daily or weekly? I'm a bit out of the loop with *nix but should be do-able?

Nice write up, I just have a noob question about why I temporarily disable the DHCP server, don't I need this service to connect to the internet afterwards. If its just a temporary procedure while I make the tweaks, can I unplug the modem or should a disable it in System Preferences > Network.

@thepope:I could have worded that part better... I was referring to if you have an internal DHCP server other than the router from your service provider. You'll need to leave that one (the ISP router) on. I've updated the post with more specific instructions. Thanks for reading!

Hi toby,I've been searching the net on how to optomise my gaming experience with the AC66U as lately i have been getting lag spikes with the game im playing, Heroes of Newerth... I know this is probably not what u expecting but any advice would be great cheersJasper

Hi Jasper, Tough to say but generally I would doubt that the router would be to blame. Most games use UDP, so buffer bloat wouldn't be an issue unless it was extreme circumstances. (though I haven't seen buffer bloat on this router) The only way it could be caused locally is by overall bandwidth exhaustion, and in that case there isn't much you can do about it. While some vendors tout "gaming priority"/QoS solutions, those don't really work (including on this router) because cooperation with the QoS tags need be honored by every router along the way. Obviously that would never happen, which is why those solutions aren't effective.

Anyhow: I'd start by making sure you're not exhausting your bandwidth in any other way. You can use the traffic manager->Traffic Monitor tool on the router to ensure nothing else is using any bandwidth and then try playing the game again.

If you've ensured that there is nothing else sapping your bandwidth inside your network and the problems persist, the issue is either with your PC or your connection. There are all sorts of routes to go from there; connection wise I'd try pingtest.net first; their test emphasizes packet loss & latency, which is what is important in your situation. (rather than bandwidth)

Jasper, ill just add, whilst not with this particular game, I have been through my fair share of online gaming latency issues, and it's never been really anything to do with my router, but the ISPs routers, between me and a given games server. Can even be your own streets lines (especially if overhead lines). If you're sure that you have done everything right as far as the router is concerned, as in, either using upnp (I prefer not to for security reasons) or have forwarded the correct ports to your machine (or console for that matter) then have a look at your modem first. You should be able to gain some insight from it. If its an Adsl connection for example you might check your sync speed, and line attenuation against your relative line distance to the exchange, and also see that your SNR (signal to noise ratio) is within acceptable limits. ISPs often 'profile' accounts as high as 12SNR but will put it to 6 which will significantly help your latency, if the lines and distance to exchange will cope with it. It is possible to tweak it down to about 4, which is better again but any lower and stability becomes an issue. If you're sure that is all ok, then it's time to suss out what's going on between you and the game server.

It's not always easy to make ISP's get off their butts to check out what's going on... so you need to arm yourself with some information to get them interested enough.

So, you at this point should already know that the router, and modem are ok, so run some tests.

Launch the game, and connect to the server, but alt tab back to the desktop once its connected.

Run 'cmd' and in the cmd prompt type 'netstat -ano'.

This will give you a list of all connections, with the PID's (process identifiers) so you can see what exactly is using ports or connections.

Launch task manager (cntrl-alt-del) and make sure 'pid' is checked under the view menu, and 'select columns'.

Now you can match the PID of all running programs to what is listed in your command prompt, an therefore know whats using what over the net.

So, now you should have identified the IP of the server your game is connected to.

Either in the same command prompt, or a new one if you like, type:

pathping IP-address-of-gameservergoes-here >> c:\pathping.txt

It takes awhile to run... about 5-6mins, but when its finished, the cursor will return to a normal prompt, and if you look in the root of your C: you will find a file called 'pathping.txt'.

Open it up and you'll find a traceroute from you to the game server, and then some statistics.

What it does is ping each router or server in your path to the destination 100 times each, and lets you know how many are lost for each.

More than 3% loss is fairly bad. If you can identify consistent losses from the same servers in the path, and you give this information to your ISP they should be able to do something about it. Either themselves if they own them, or by contacting the relevant ISP that is forwarding your connection for them.

They might also get a telstra tech out to run line tests between you and the exchange.

Its a bit of a pain in the butt, but i've found its the only way to get through the tier 1 script reading 'techs' that don't really know what they're talking about and get an admin / tech that does ;)

Whoops! forgot to add, if you see in your pathping stat's, servers that are showing 100% loss, ignore them, they are more than likely firewalls that are deliberately not responding to the ping request. You're looking for ones that do respond, but not consistently.

I'm not sure if you mean in or out, but either way.. yes. You can use IPTables rules to block or allow nearly any connection. For the official documentation, see here. You'll need to follow the instructions (don't forget the part under "Creating Scripts")on setting up user scripts to enable custom IPTables rules. To get you started, here's a rule that would drop all outgoing packets from 192.168.1.10:

Was wondering if you could help me figure this out. I have done just about everything 2.5/5 Ghz both provide transmissions of only 145mbps. Nothing pushes it above. I am currently using the stock firmware.

There are a lot of things that could cause a slow transmission rate. Have you tried different devices to see if the rate differs across them? Note that it's not just the router but the client that dictates the effective rate.

I'd start by giving this article a read; it's one of my favorites. After that, make sure interference isn't an issue and that your channel widths for either 2.4 or 5 aren't limited on the client device. Note that in most situations, you'll have a better shot at high transfer rates on the 5ghz spectrum.

Hi Toby -- I just purchased an RT-N66U to replace a Linksys wireless router that I'm running in bridge mode. The Linksys has a wired connection to a TP-Link TR-860 router. Do you know how if the RT-N66U can operate in this fashion, and, if so, do you know how I can set it up? I've tried logging into the device using the IP address assigned by the router, but that doesn't work.

Thanks! I think the easiest way may be to add a NAT rule rather than change the port on the daemon. (That would require using the services-start module with some other mods) To add a NAT rule, you'll need to setup a nat-start script. To do so, follow the instructions to setup scripts. (Make sure you pay attention to the "creating scripts" section) Before doing that, you'll need to make sure the JFFS partition is enabled as well, which is under the Administration->System heading. Try the following rules:

Hi @rcxyz, I'm not exactly sure what you're trying to do so forgive me if my advice is not applicable. If I understand correctly, your R860 provides access to the internet and you would like to hook your clients through the N66U and then out through the R860. If that is correct, it should be relatively easy to accomplish; the only issue with your approach is that you need to login to what the N66U considers to be the "internal" interface. Logging into the interface that is pulling a DHCP address from the R860 will not work because the router (N66U) considers that to be external and the web portal is not exposed on that interface. When you first setup the N66U you'll need to manage it using 192.168.1.1. If this conflicts with your current IP schema you'll need to isolate it with a workstation, do initial setup, change its (N66U) IP, then hook it back up to your R860. You would then set your clients to route through whichever device you want by setting their default gateway to the IP of the appropriate device. Make sure you only have one active DHCP server; i.e. if your R860 is handing out addresses turn it off on the N66U. That said, if you want all the firewall features, etc of the N66U then you'll want to turn off the R860 DHCP and make sure all the clients are behind the N66U.

Hopefully that helps, feel free to post up if you would like more help!

I might add, that I run a bridged setup with a rtac66u, and a netgear cable modem/router/wifi. If your R860 supports bridge mode, put it into that, then connect your n66u and reset it so it goes thru the initial setup. It should pickup and control the other router pretty much purely as a modem from there. If it doesn't support this, you'll have to try it as Toby suggests. If it does, but you run into issues, you'll just have to reset the primary router to get it back. Take note of default addresses for both etc, and if your machine has two LAN ports make use of them and run 1 to each until you get it right ;)

"Note 3: I'm investigating an issue that results in WiFi being unable to communicate with the LAN ports. It manifests itself in the log as: Jan 11 17:05:23 kernel: eth1: received packet with own address as source address . I'll post updates on this later."I get this message every day. Any clues?

I haven't fully yet, but I know that the occurrences of it went down dramatically once I did point #18. (naming radios differently) If you're not having any routing problems I wouldn't worry about it. Thanks for reading!

I have replaced a linksys with This assus and suddenly I am no longer visible to the p2p peers.The port forwarding setting is pretty straight forward and still noluck.Even with DMZ setting, I'm still not visible (I'm using PFPortChecker to test this)

Hey @Sega! I can't think of any reason it wouldn't work on the new router; you may want to double check which ports your program is expecting to be forwarded and try re-implementing forwarding with the steps outlined in step #16. Good luck!

I'm having a reoccurring issue as of late with the router that causes all devices connected to via wireless to lose connectivity. It's as if the WAP reboots itself or turns off is radio signal. This happened tonight specifically where my Lenovo laptop, Macbook Pro, and iPad all dropped wireless connectivity. The modem was fine and live. All lights on the router were also active (as far as I could tell). This also happened before I updated to the most recent firmware (3.0.0.4.374_726). I've done most of your instructions other than the dual SSIDs for 2.4 vs 5ghz which seems obnoxious to have to do (no offense to you at all). Any ideas?

Thanks for Reading; I was having the same problem with this router and I tracked the problem to the iPad hopping back and forth between the channels. While I don't like changing the SSID names between 2.4Ghz and 5Ghz, I haven't had the issue since I changed them. I'd recommend giving that a shot and seeing if the problem goes away. Good luck!

I have an RT-N66R on a shelf in the closet. To extend range (particularly to the north and south) I replaced the 3 smaller antennas with 3 much longer 15 db gain antennas. They came with a short coaxial cord which allowed me to place them 4 feet higher. My questions are, 1) What does the distance need to be between each antenna; 2) Do they need to be angled 45, 90 and 135 degrees to horizontal; and 3) If I need my best range to be to the north and south of my router's location, should the 3 antenna be positioned in a straight line north/south or east west?

That's a great question, and not an easy one to answer. RF coverage can be nearly a career in and of itself. The direction angle, and placement of your antennas will depend entirely on the specifics of the antennas selected. I like to approach the problem by studying the transmission pattern of the antenna in question (which should be available in the manufacturer docs) and then visualize the pattern when I setup. After that, I confirm coverage with a tool like inSSIDer or similar.

There are also some great articles out there to help with the process. One of my favorite sites out there, small net builder, has a few good articles: Choosing an Antenna, Fixing your Wireless Network, and this article that directly addresses many of your concerns.

I'm sure with a bit of tweaking you'll have the coverage handled in no time. Have fun!

Hi TobyI really like your articles and upgraded to the latest firmware 374.35_4. I have a internet speed problem and wonder if you can give me some pointers. My noticed my internet speed dropped a day ago and did a speed test using www.speedtest.net with and without RT-AC66U (hard wired to desktop). The ping and download speed without the router are 23ms and >10 MbPS. With the router, the ping and download are 1500ms and 2Mbps. I have reset the router back to factory settings a couple times. The strange thing is that the first speed test was on par right after I reset or reboot the router and the speed tests were bad after. I wonder if you have seen that happen to Asus router before? Thanks.Kevin.

Thanks for the compliment! Re: Your issue, that's a tough one. I have not seen that issue myself so without the ability to reproduce it is very difficult to say what could be wrong. You've already taken the prudent steps of taking it out of the loop and resetting to factory defaults; I'd add the following to try:-Revert to older firmware; (x.x.x.x.x.2x series, reset factory again)-Make sure Jumbo frames are disabled (Advanced->LAN->Switch Control->Enable Jumbo Frame->No)-Toggle HW Accel (Advanced->LAN->Switch Control->Enable HW Accelerator->Change)-Ensure you don't have some odd speed/duplex negotiation issues either to or from your Asus router. Hard-set link speeds and duplex where available.

Hopefully one of those helps you out; problems like that one can be tricky. Good luck!

Hi Toby - just found your post. Great reading. My problem is this. I purchased a slightly used RT N66R from a friend in New York. I live in Wisconsin. After also just purchasing a new 16GB Apple ipad Air, I found Apps I installed on the iPad, like "Find My ipad" and a Download Speed Test app all think I am located in New York. I took the iPad to our local library and found using their wi-fi, it correctly located it near the library. The speed test app also selected a location to ping in Wisconsin.

I suspect the router is the cause. Any ideas? What can I do to resolve this issue. I have tried resetting the router by holding in the button for at lease 20 seconds, but this does not change anything after reentering the setup data. Hope you can help.Carl

Thanks for the kind words! I'm wondering if the incorrect NY info is a result of how the iPad pulls location data; assuming you have the wi-fi version of the iPad Air, it's not actually capable of pulling real geo location. Using solely wifi the iPad is only capable of determining your location via crowd-sourced data from devices with a GPS. For example, if you had an iPhone that hooked to your wi-fi, that would send the geo-data to Apple, which Apple would then use to determine your location on your iPad. That would explain why it works at the library but not at your house. More info on this can be found here and here.

That said, I'm not sure if the crowd sourcing stores MAC address of the AP or what; if so it is possible that the person you bought it from had connected to the wifi with an Apple device that reported that information, and that would explain why Apple is telling you that your iPad is located where you bought it from.

If that's the case, invite a bunch of friends with iPhones over, have them connect to your wi-fi, then open their maps app and determine their location. (this discussed @ Apple here.) After I had a few folks over at my place I'm now identified correctly; previously according to Apple I was located in Siberia. :)

Thanks for your explanation Toby. Yes you are correct my iPod Air is Wi-Fi only. Over the Christmas holidays I hope to have a few visitors that may have an iPhone and have an opportunity to try your suggestion.

I will check back after trying the iPhone theory and report mysuccess or failure. I sure thought the used ASUS router was causing the problem because it was retaining location info in some memory chip. I see it is possible to change the IP address. Is this a possible solution? Carl

HI, nice write up. I have a question about the router. I have the ac66 version. On my speedtest.net my download speed is about 33mbps on all device. But on my phone which is a galaxy s4 which supports the 5ghz ac the speed would be 33mbps for a day then drops to 14mbps after that then I would have to reboot the router to get it back to where it was. Any help would be greatly appriciated

I doubt it; internal IP addresses won't matter as I'm sure Apple wouldn't use that as the key for the geo-data since it wouldn't be unique. I'm guessing your external IP is assigned via DHCP from your ISP so there is no controlling that. If I were a betting man though(good thing I'm not), I would put my piles and piles of gold doubloons on the MAC address of the wi-fi access point being the index.

@Keng, Thanks! That is odd. If you reboot your phone (not just standby but a full reboot) does the problem go away?

Keng, I'll take a stab and say I think it has something to do with the logging options, being that they get put in ram by default. File gets larger, and less ram available, its ability to network suffers. I had some similiar issues at one stage. Disable Per IP logging if you don't need it. Make sure hardware acceleration is enabled. You can also stick a cheap thumbstick in, enable your jffs partition, and have it store logs there instead. Alternatively, you could just schedule a reboot of your router in the middle of the night, every night via cron.

That can be difficult, but made much easier if you know the machine you are targeting. If you know the MAC or (preferably) IP of the machine you could create custom firewall and/or QOS rules.

Generally speaking though, distinguishing P2P traffic from other type of traffic for all your machines can be very difficult. If it is bittorrent you can try the solution outlined here. For more information on custom firewall rules look through the comments in this thread.

Hi Toby,I have an odd one for you. So, I bought a Asus EA-N66 adapter to get 5G to any ethernet enabled device around the house, works brilliantly with my ps3. But the issue is, if i use FTP to download from my ps3 to my pc, over 5g, I can get about 10mb/s, but upload to it, and its about 3mb/s. Any idea's for why its so slow the other way? I can't seem to find the cause..

I tried to upgrade to the latest firmware and had to rollback to the 276 version for the N66U. Experienced 75% reduction in wireless speeds for both 2.4 and 5 frequencies with the newer firmware. Did a complete reset before upgrading, still no luck. The only thing that restored my wireless speeds was reinstalling the 276 firmware. This issue needs to be addressed by ASUS. I have seen some pople report the same issue with the newer AC66U router also.

That may be possible (see the firewall rule discussions in the comments here) but I think it would be less work to put a parental restriction product (i.e. NetNanny) directly on the PC you're trying to control provided you have access to it and can prevent the user from using an administrative account.

If you're looking for an exercise in learning IPTables, however, it may be worth the effort. :)

I'm thinking that might have to do with your signal strength/connection methodology of your PC vs. PS3. Perhaps in this case your PS3 has a better connection; when it is the sender it is responsible for much more data than the other end, but when you switch roles the weakness of the PC connection could be causing the issue.

If you look @ your System Log->Wireless log you should be able to get connection type and strength stats; hopefully that will help you get to the bottom of it...

Good idea. Actually my PC is connected to the rtac66u via ethernet, so its just the router to the ean66. I had a look, on first connection it showed 405rx/450tx (that's not a typo), on 5ghz band. After a little bit, it dropped to 6/6.So i ftp'd into it, and it picked up to 6rx/450tx. Download from it, back to my pc and it holds 450tx, but when sending the other way, if i keep refreshing the wireless log, it shows its rx rate switching between 450 and 6 every few seconds... Maybe it is an RMA of the ean66.

Hey @Dave! interesting... one last thing to check: if you set the "Channel Bandwidth" (Advanced->Wireless->General->Channel bandwidth)setting to a specific value rather than auto(20/40/80) is it more consistent?

Sounds like you're following good best practices though I'm a bit confused about the 12 hour reboot/MAC address clone need; that may indicate that you had a low level firmware misconfiguration or even a hardware problem. If you have the time, it may be worthwhile to try a full settings reset as Eric outlines here. Beyond that, I'd point at the LaCie device, but that's only a hunch based on having seen other connectivity issues running similar devices connected to Linux.

As a last resort, it may be worth a try to see if scheduling a daily reboot when it won't bother you to see if it helps the situation. You can find instructions on doing that here.

By default on the Merlin (and I believe the Asus standard) you should be able to access the management page from WiFi as well as wired. There is, however, a way to limit access to specific IPs under the administration->system page. Perhaps you have some IPs listed there?

I just recently updated the firmware to 3.0.0.4.374_5517.I attached a 2GB USB Stick to the router in hopes to log anything such as firewall traffic.I can't seem to find the options you mentioned. Could you please let me know how to save this info to it please?Thank you very much in advance!Brandon

I think your issue may be that you are using the stock ASUS firmware, rather than the "merlin" version, which has extra goodies, such as (maybe) the choice of logging destination. The stock firmware zip from ASUS is called FW_RT_N66U_30043745517.zip. The latest Merlin version (as of this comment)is called RT-N66U_3.0.0.4_374.42_0.zip.

BTW, the memory stick I stuck in (FAT formatted) doesn't automount. I had to ssh in and do it by hand.

Thanks @Hank (Saturated), excellent observation! Hopefully that will get you going @Brandon.

While the stock Asus firmware has come a long way, it is still missing some of the functionality that the Merlin build has. I recently switched back and forth and I still recommend the Merlin build. Note that since Eric has based it off of Asus' released source, generally speaking it differs only in the added functionality and bug fixes.

Not sure what seems to be the problem but I can't get the merlin parental control to work with dns filtering. Only global filter works for me. I enabled the dns filter set the global filtering mode to none and added all the clients to filter with Norton Family; It does not work. If I change global filter mode to Norton Fmaily all the clients are filtered but if I set to none then individual clients are not being filtered. Any ideas what am I doing wrong? Searched around on https://github.com/RMerl/asuswrt-merlin/wiki and smallnetbuilderbut couldn't find a basic tutorial to point out if anything is wrong. I am using the latest Merlin firmware.

Hi,I bought this new RT-AC66U router todau and found that it was fairly easy to setup...jawn.

Until my wife got home and started her iPad....

Everything wired works fine both internal and external but all wireless is completely dead, no connection what so ever to the internet and this lead me to your site and the Merlin builds which i now have installed the latest version of.Lots of new good fucnctions but still now wireless connection outside the house and i cannot find out why????

Unfortunately I don't have much experience with the new DNS filtering; I recently had to roll back to an older build to avoid and issue specific to my setup. If you exhaust all options in setting up the new firmware and DNS filtering is one of your primary goals, you could consider rolling back to a build pre-.39; I have tested the old Yandex service and that works fine. That said, I know folks using the new one successfully, so perhaps try switching from Norton to Yandex or OpenDNS to see if the behavior changes?

@Tobee (nice name :)) Try making sure your 5Ghz radio and your 2.4 Ghz radio have a different SSID name. I had this same issue with Apple devices and found it was because they were bouncing between the two different spectrums, causing issues with DHCP. By naming them differently (SSID, SSID-5Ghz) it ensured that the devices stuck to one or the other and my problems went away. Hopefully that fixes the problem for you. Good luck!

Hello, I just recently picked up the RT-N66R, and I have been having issues getting two xbox ones to be able to join the same game. Ive narrowed it down to it being an issue with the NAT type. Before this router I never had any issues being able to join the other xbox's games. I tried turning the UPnP off and just porting but no luck there. Any ideas to why I would be running into this issue with the new router?

Have you had luck using multiple XBoxes before with the same game? This problem is common because some Xbox Live services may want to use a specific port; since you only have one IP address there is only one of that specific port to attach to. When two boxes attempt to play through the same public IP they often have problems since only one can be forwarded at a time. (generally the UPnP or NAT rules have a 1->1 relationship) There are some routers out there that use some tricks with UPnP to attempt to solve this problem (to varying degrees of success) but unfortunately this may not be one of them.

A lot of games don't need a specific port and work fine, but it looks like you have run into a case where one does.

The XBox Live site has a bit of guidance on this here. Either way, in your case the only hope to have it work at all would be UPnP due to the dynamic nature of the need. You could play around with one Xbox in the DMZ to see if the rules handle the UPnP requests differently, but that's a long-shot.

Hi Toby, I have been trying to find a solution for my odd problem - would appreciate any ideas. I have the Asus rt-n66u and it was functioning well for over 6 months, but now 2.4 Ghz is a joke (5Ghz perfect). I have updated to the latest asus firmware (3.0.0.4.376_1071). The internet provider gives me 20Mbps - always perfect and good on 5Ghz. 2.4 GHz- constant fluctuation, slow, ranging from 1Mbps to 3Mbps, occasionally achieving 20. Sometimes it just completely drops, no internet. Pinging the router gives me spikes of 1 to 150 ms. Going crazy, searched the net, checked different channels etc, no success. Any ideas, recommendations? Would truly appreciate :-).

It sounds like that may be spectrum interference, and not necessarily from a competing WiFi AP. The 2.4ghz range is popular for all sorts of devices, and perhaps someone setup camp with a cheap cordless phone or something similar. The best way to detect this is by using a site survey tool... unfortunately the best aren't cheap (see this link). You could give cheaper/free apps such as Wifi Analyzer for Android a shot, but most of those apps only look for WiFi based interference rather than anything on the spectrum.

Short of the more expensive solutions you could move your equipment around to assess which direction the interference may be coming from.

Thank you, I will keep trying (somehow site survey tools seem a bit out of pocket range :-)) - I did try Android wifi analyzer, but nothing new shows up - no other local wifi networks. What really drives me crazy that its so intermittent - sometimes the 2.4ghz is ok for hours, and then it just looses connection totally - while 5ghz just works. No cordless phone, etc. Will try to test a different router at least to make sure that its not the asus. Thanks anyway.

Question: What settings within my AsUS 68U router are needed for optimizing a wired xbox one? NAT Acceleration? UPNP on or off? I already Port Forward but want to make sure eveything is optimized for best low latency gaming.

I'm certainly not a network/router settings guru. I have a basic understanding. I have the RT-AC66U for about two years... since it first came out. Been working great. I did have to reboot every now and then, and found that my network speed would improve when I did. In the last week or so, none of my devices can see the 5 ghz network. I have multiple devices (iPads, iPhones, the newest MacBook Pro, Apple TV, DirecTV streaming between TV's, etc ...). Had no problemes with any of those devices. I do connect to Internet fine, on the 2.4 ghz network. My SSID's are different w/different passwords. Just out of the blue, the 5 ghz disappeared. My MBP does have AC connectivity. When I login to the router, everything looks normal on the 2.4 ghz and 5 ghz. I just can't see it on my devices. I have rebooted, reset router to no avail. The router is supposed to be able to handle up to 5 different networks I believe, but I don't see where I can setup another network to test or setup another 5 ghz network. I did upgrade to the new OS X (Yosemite a few weeks ago). Everything was fine. But a few days after that upgrade, and after rebooting the router, is when the 5 ghz network disappeared. Any suggestions? Thanks!!

That's odd; you're right... it shouldn't happen. Here's what I'd try, in order, checking for success after each step:

1> Take screencaps of your desired settings and then reset to factory settings using "Administration->Restore/Save/Upload Setting". After reboot re-set your settings as desired. Don't use the "save" or "restore" settings because that may re-create the problem. Check to see if that took care of it. 2> If not, revert to an old version of the firmware, reset settings, (see step #1)and check again. 3> "Fix" the router with a hammer until all networks disappear.

I'd advise flashing to stock firmware and utilizing factory warranty replacement before doing #3, but it's up to you. :) Good luck and feel free to post your progress if you like.

Hey Toby, any ideas on the best way to go about logging all joins and disconnects from WiFi?

I'm not even sure if disconnects generate log messages. When someone moves away from a wireless network, at which point does the router become aware that a client is no longer there without actually doing some time of ping to it.

I have a PS4 and HTPC w/ Win8 64bit downstairs with N capabilities and both are connected wirelessly using the RT-NC66R. They are both getting less than 8mbps, while both mine and my wife's iPhone are getting 100mbps+. My wired desktop is also getting 100mbps+.

I tried a few solutions with the PS4 such as manually changing the DNS and IP but no luck. I haven't followed all the instructions listed on this page yet in fear of time and messing something up. I haven't enabled port forwarding or assigning a static IP either.

Before I begin the lengthy process, do you have any ideas on what I should be checking? Firmware is up to date as well. Thank you

It's possible that both your PS4 and your PC are connecting via the 2.4Ghz spectrum, while your iPhones are connecting via the 5Ghz spectrum. Since interference on the 2.4Ghz is much more common it could be limiting your rate.

To test this, change your 2.4Ghz SSID broadcast to a different name by going to "General->Network Map(default login page)->System Status->2.4Ghz" and changing the SSID to something different, then clicking apply. This will force any clients using 2.4Ghz to re-prompt for the new SSID. If after that your iPhones connect without prompting but your PS4 or PC has trouble connecting then that could be it.

If so, then your PC and PS4 may be impacted by being on a more crowded frequency range. While the PS4 doesn't support the 5Ghz range, your PC might. You can attempt to do so by examining the wireless NIC settings. As for the PS4 you will have to wire it, reduce interference on the 2.4Ghz range, or move the PS4 and the wi-fi closer each other.

Hey Toby, that was it. They are connecting to the 2.4ghz instead of 5ghz. My iPhones kept connecting to the same SSID (5ghz band) and got fast speeds, while my PS4 connecting to the new SSID was getting much slower speeds, same with the HTPC. You're right, they both prompted for the new SSID as well.

I guess I will find a way to wire my PS4 and HTPC. They are pretty far from the wireless modem (I would guess 60-70 feet then enclosed in a media cabinet).

Hi Toby: I am having issues with my FTP accessing movies over internet. Some load, others never load and hang up device. My ISP has 2 mbps upload speed, is that the issue? Do i need to upgrade to 5? Or tweak settings on router. Movies load without issue over home network.

Hello Toby!I've faced a problem for a very long time now and would appreciate help. I've tried everything. The thing is that I have two router, one asus rt n66u and a sluggish one with an IP-telephony port which I need but I want my internet connection to come from the asus. I've connected the asus to the modem and then the sluggish router to the asus (from lan to wan) and set the asus as access point. This is the only way I've found that both internet and telephony works, and I've tried every possible combination. The thing is that I can't connect to the asus with all of my devices through wifi. Some succefully connect and some get stuck on "getting IP-adress". Some that connected at one time might randomly get disconnected at another time and the other way around. I've gotten into my router settings and noticed that 127 clients were connected to the AP. Is that the problem? But how do 127 clients connect when I'm living in a normal house with few neighbors? And I do have a password. I would very much appreciate if you could help me with this annoying problem.

Tough to tell; there are so many factors at play there. I will say though that FTP is not the best protocol to use for movie streaming; since it relies on TCP, your bandwidth is constrained by the fact that measures are taken to assure each packet arrives in order and perfectly. In the event that a packet is missed it is then re-transmitted, interrupting the stream. Better movie streaming protocols would rely on UDP, which is similar but doesn't care if packets are dropped. This is a much better choice in latency sensitive real-time applications like video streaming or VoIP calls.

If you have a machine on at home all the time you could consider using something like Plex, which not only relies on UDP to stream but can also transcode movies in real time to take less bandwidth if needed.

@Kristian

Quite a bit there as well, but here are a few things to check:

1> If you're not protecting your WiFi with a password I highly recommend doing so; having an open access point could open you to legal issues should someone decide to use it for nefarious purposes.

2> Assuming your sluggish router and the Asus are on the same subnet you want to ensure that only one DHCP server is active. By default the Asus has its on and it should work fine in most scenarios, so you'll want to make sure that the DHCP server functionality is turned off on your sluggish router. The steps will vary depending on the router, but generally it will be referred to as "DHCP Server", "IP Pool", or something similar. You will need to make sure that is turned off. If you confirmed your sluggish router does have a DHCP server but you can't turn it off, you may need to try doing so on the Asus as that is possible. Only one device on your network can be handing out IPs or you may see problems like you're experiencing.

3> That # of clients is huge. To get more details on who is connected review the "System Log" page and check the "Wireless Log" (for wireless clients), "DHCP Leases", and "Connections" pages. Note that connections will have quite a few since many may be listed for one host. If you have clients connected that you don't recognize you should definitely take measures (password, etc) to ensure you aren't sharing your connection with unwelcome visitors.

4> The only other thing I can think of based on what you mentioned is to ensure your 2.4Ghz and 5Ghz radios have a different SSID, especially if you have any IOS (Apple) devices. Some IOS devices will connect and disconnect rapidly if the two radio spectrums have the same name. To do so you can change the name of one of the SSIDs from the home page.

Hopefully that helps, if not post back with a bit more information and we'll get you working!

Thank you for your answer Toby!I have a pretty difficult password so I'm sure that the 128 (one more today so 127 doesn't seem to be a limit which I initially thought) clients aren't using my connection. I guess that they only detect it? The SSIDs are different for the different frequencies and I don't own any Apple products. The problem must be the DHCP server. I'm not that in to router tweaking and such but I can't seem to find the option to turn the DHCP off on neither the router or the AP. I noticed that when I turned the Asus into AP-mode I got fewer settings to adjust, might be that I lost the option when I turned into AP? My sluggish router is an Inteno 150g I think. Some of my devices are able to connect to the wifi of the Inteno and some are connected to the Asus. However I still can't connect all of my devices to the Asus. The IP of the sluggish router is the normal 192.168.1.1. But the Asus's IP-adress is quite weird (178.174.162.62). Don't know if that made anything clearer. Is there another way to turn the DHCP off?

Tough to tell what could be going on, but I do suspect something may be strange with your overall network setup; it sounds like you may have two (or maybe three) class c address spaces in your network, and depending on your devices that could be what is causing the issues and the client connection count.

As an experiment you could try using the slow router connected directly to the WAN router and the Asus connected to that in AP mode only. That should simplify the IP addressing scheme and you can see if the # of clients and disconnects go down even though the router isn't optimal; at least that would identify your problem.

Note too that the Asus should be able to pass SIP trafic; I'm not sure if your IP Telephony hookup is a SIP endpoint, but if so you can enable NAT passthrough under WAN->NAT Passthrough->SIP Passthrough & see if that helps you get rid of the slow router overall.

@Trevor: Sorry, I can't help with that issue; I'm using Plex for my media server. If I were you though I would try looking at the system log for system log->general log.

I am getting the warning message 'maximum number of concurrent DNS queries reached (max 150). We have about 15 devices all connecting by wifi and my internet provider says either someones laptop must have a virus as overloading modem with requests or too many people have too many applications open at the same time. Is there a way to increase limit to more than 150, or how do i determine what the actual problem is as the internet speed keeps dropping.

That's pretty tough to tell without more information; there are quite a few variables at play.

The first thing I would check is the connection log ("System Log"->"Connections"->"Refresh") and look for IP addresses in the "NATed address" category with excessive connections. If any are far and away above their peers, then investigate that machine. Assuming you have Excel you can view the data easier by copying it and saving it to a text file, then importing it to sort by IP.

My merchant card processor just started requiring us to use compliance program from TransArmor. I failed their scan. It says encrypted communication channel on port 23. It says to transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP.If I install that Merlin firmware can I switch to ssh somehow? I don't see where to change it with the present factory firmware.

I have a lot of interest reading your exposed knowledge and I hope you will be able to help with the following need.I used to have a pfSense router on a fanless device that got fried recently.I have tried both dd-wrt and tomatousb on my RT-AC66U. with dd-wrt, as soon as I enabled the dnsmasq option, I immediately lost all internet access.The most interesting feature for me with pfSense was the DNS Forwarder service. I need that!I host multiple domains in some internal servers and it was a snap to set up on pfSense:domain1.com -> 192.168.1.50domain2.com -> 192.168.1.51etc...Then I could access these domains from the outside seemlessly.Can Merlin Asus firmware do that? How?Thanks a lot for you great articles.

Yup! Merlin includes dnsmasq; you have to enable and use jffs to store config changes. Eric has done an excellent job of writing up documentation regarding the custom config files here. DNSMasq info can be found here. I'm not entirely sure of your use case, but hopefully this is what you're looking for.

@Jeff

Hah! I can't fault you there, though I can't say I'd recommend consumer grade routers for commercial applications; most of them use common soft(firm)ware components that aren't vetted for security. Assuming you're not using wi-fi I would disable it as well. That said I know small businesses may not be in a position to not only buy, but support high end equipment, so keep those scans going and make sure to update the firmware.

Nice write up and the comments are even more helpful. I stumbled across this because I bought an RT-AC66U and while some devices (my laptop and some of the Androids) are working well, I found that one tablet (Android) and an iPhone have frequent disconnects.

Checked this AM and noted that my SSIDs for both 2.4 and 5 are the same so I think when I get back home I will be changing one to see if that fixes the problem. I may go back through and do some of the recommended tweaking.

Hi Toby,Thanks for this whole walk through. Now I have an odd one here. I've got an RT-AC66U with the latest Merlin firmware. It's setup as an AP behind my actual ISP router. I host a website on a server internally and I am unable to reach this via the Asus on DNS name. On IP it's not a problem. The website is reachable from my ISP router and externally too. Any ideas here?

Hi Toby,Thanks for this whole walk through. Now I have an odd one here. I've got an RT-AC66U with the latest Merlin firmware. It's setup as an AP behind my actual ISP router. I host a website on a server internally and I am unable to reach this via the Asus on DNS name. On IP it's not a problem. The website is reachable from my ISP router and externally too. Any ideas here?

I would guess that your isP's router is using your isp's DNS servers, which are unable to resolve private addresses. You could either have the router itself manage DNS, or your own server do it, or use a dynamic DNS / vhost with a port forward. If your IP is not static this may be worth looking into. Just an idea....

In either OS case there should be samples in files that exist there. These files (by default) have default precedence over DNS servers or local name resolution.

As an alternative, you could swap the order of your routers. Personally I use a couple different ISP routers (multiple connections) in front of the Asus router. This would allow for the use of DNSMASQ with the Asus router should you choose to do so.

here's my problem. I have an RT-AC66U, firmware 3.0.0.4.378_9313 (latest at this moment).

Plugging my computer directly into the ONT, I get ~800Mbps download and ~600Mbps upload. However, when I plug the router in, the upload stays roughly the same (goes down to something like ~500Mbps), while the download speed caps at ~210-220 Mbps.

I looked at all settings, discussed with the ISP for hours, I'm a bit stuck.

I have a motorola surfboard modem. I have an RT-N66U. I have the latest merlin firmware. Here is my problem. When I download torrents straight from my surfboard through ethernet, I get a solid steady 6.25 mega byte download. My Cox package max 50/5...is right at 6.25 megabytes so this is working perfectly. When I hook up the RT-N66U through either 5 or 2.4 channel the download wildly fluctuates. About second to second it goes like....6.2, 5.2, 6.3, 4.8, 6.6, 6.8, 4.8, 5.1, 5.8....something like that. I also noticed (and am 90% sure these two are related) the router CPU load fluctuates between 100% and 50%...second to second like a roller coaster when im looking at GUI system status while downloading. Is it supposed to be like that? I feel like I am missing something.

Is there a way to null route an ipv6 network in Asuswrt-Merlin? Netflix blocks my ipv6 tunnel because it can't geo-locate it, so I'd like to force Netflix to fail over to ipv4 from my network, but leave ipv6 enabled for everything else.

Router Configuration may be delivered by the different technologies depending on the situation. For example, Router Configuration can be addressed using configuration, wireless setup, hardware installation. This customer services for the worldwide user delivered by www.bestbuysystems.us/routers.